[Snyk] Fix for 8 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	Prototype Pollution npm:lodash:20180130	No	No Known Exploit
	Remote Memory Exposure npm:mongoose:20160116	No	Mature

Commit messages

Package name: @snyk/nodejs-runtime-agent

The new version differs by 28 commits.

• ade9436 Merge pull request [Snyk] Security upgrade lodash from 4.17.4 to 4.17.17 #111 from snyk/snyk-fix-93368b07b9de27f1dbf0560f8ba14c21
• 4b5269a test: update test fixture to match acorn@5.7.2
• 919477e fix: package.json & package-lock.json to reduce vulnerabilities
• a502cbb Merge pull request [Snyk] Security upgrade adm-zip from 0.4.7 to 0.4.11 #107 from snyk/docs/readme
• dde1526 docs: describe supported Node versions on our README.md
• 83fe936 Merge pull request [Snyk] Fix for 8 vulnerabilities #103 from snyk/chore/codeowners
• 4b0109f chore: codeowners
• 435f878 Merge pull request [Snyk] Fix for 3 vulnerabilities #99 from snyk/chore/bumps
• 8ef98c8 test: limit concurrency to 1
• c53384a chore: upgrade tap; js-yaml is no longer
• 50a0844 chore: bump semver
• 391a2c5 chore: low-risk bumps
• 800766c chore: run tests on random port
• 3d90fb9 test: try and close the demo server cleanly
• 4b9407e Merge pull request [Snyk] Security upgrade @snyk/nodejs-runtime-agent from 1.43.0 to 1.46.1 #95 from snyk/snyk-upgrade-a55862565132729ebb483a4754f7857d
• cb5af6b chore: upgrade needle from 2.2.1 to 2.4.0
• b8fde78 Merge pull request [Snyk] Fix for 5 vulnerabilities #94 from snyk/feat/lazy-class
• f58306c feat: allow lazy || wrapper classes
• 626c3b7 Merge pull request [Snyk] Security upgrade mongoose from 4.2.4 to 4.2.5 #91 from snyk/chore/bump-travis
• eee4a01 Merge pull request [Snyk] Fix for 6 vulnerabilities #92 from snyk/chore/update_func_snapshot
• 5c6e90c fix: de/normalise all file separators in a string
• 8129211 chore: update repo functions snapshot
• 5d8f892 chore: removing unused clone_depth from appveyor.yaml
• d577eac chore: bump travis to xenial

See the full diff

Package name: adm-zip

The new version differs by 50 commits.

• 80d259f Version bump
• 3f00a03 Fixed Bump lodash from 4.17.4 to 4.17.21 #176
• 650e752 Fixed wrong date on files (issue [Snyk] Security upgrade ejs from 1.0.0 to 3.1.10 #203)
• d01fa8c Fixed bugs introduced with 0.4.9
• c0cc85d Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#219 from jontore/master
• 39c83a2 Merge pull request Snyk fix PR (addresses 2 issues) #209 from poshta1900/fix
• b94c5dd Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#227 from hhaidar/master
• c95c553 Merge pull request [Snyk Update] New fixes for 16 vulnerable dependency paths snyk-labs/nodejs-goof#228 from jmcollin78/patch-1
• cda668c Fix issue [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#218
• 0f2cb41 Fix octal literals so they work in strict mode
• 888931d To support strict mode use 0o prefix to octal numbers
• 89b6f67 Update package.json
• 9592298 Update README.md
• ce59e5a Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#215 from grnd/master
• 38cb4a4 fix: resolve both target and entry path
• 18c3d31 Update package.json
• 666adec Update package.json
• 499d59b Update package.json
• 62f6400 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#212 from aviadatsnyk/master
• 6f4dfeb fix: prevent extracting archived files outside of target path
• ef0abe6 add try-catch around fs.writeSync
• e116bc1 Merge pull request Snyk fix PR (addresses 1 issues) #208 from pmuens/patch-1
• 12d2099 Fix data accessing example in README
• 032566b Merge pull request [Snyk] Security upgrade tap from 10.7.3 to 12.0.2 #204 from BridgeAR/master

See the full diff

Package name: express

The new version differs by 250 commits.

• ea3d605 4.15.5
• 40435ec deps: serve-static@1.12.6
• 7137bf5 deps: send@0.15.6
• bd1672f deps: finalhandler@~1.0.6
• 9395db4 deps: debug@2.6.9
• 19a2eeb tests: check render error without engine-specific message
• d7da225 build: should@13.1.0
• 961dbff deps: serve-static@1.12.5
• 9e0fa7f deps: send@0.15.5
• 9e067ad deps: fresh@0.5.2
• de5fb62 deps: update example dependencies
• b208b24 build: should@13.0.1
• 78e5510 build: mocha@3.5.3
• 48817a7 build: remove minor pin for nightly
• a4bd437 4.15.4
• a50f109 deps: serve-static@1.12.4
• e2d725e deps: send@0.15.4
• e006622 lint: remove all unused varaibles
• 44881fa docs: update collaborator guide for lint script
• 1dbaae5 deps: update example dependencies
• 56e90e3 lint: add eslint rules that cover editorconfig
• 713d2ae tests: fix incorrect should usage
• e0aa8bf build: mocha@3.5.0
• 85770a7 deps: finalhandler@~1.0.4

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• f88eb25 fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
• 1db031c test(schema): clean up messy tests re: #8459
• 8fa8012 test: test cleanup re: #8459
• 4a55040 chore: remove problematic mongoose-long dep and use mongodb 3.4 in tests
• 91f95da chore: run consistent mongod version in tests
• 0e65e6e chore: release 4.13.20
• 803090d fix(schema): make aliases handle mongoose-lean-virtuals
• 6a8b381 chore: add .config.js to gitignore and npmignore
• f51c4aa chore: release 4.13.19
• 2aeeaa8 Merge pull request #7950 from cdimitroulas/backport-aggregate-options-bugfix
• b10cc98 rename aggregation option test
• d9a2027 fix bug: Using options in aggregates doesn't set anything
• 75daf18 chore: release 4.13.18
• 8c75e9b chore: dont run nsp
• c8b8720 style: fix lint
• edf70e4 fix(cast): backport fix from #7290 to 4.x
• 29f6709 fix(model): handle setting populated path set via `Document#populate()`
• 0e1772f test(document): repro #7302
• 2370f97 chore: now working on 4.13.18
• 4545d44 chore: release 4.13.17
• fb8b644 fix(document): disallow setting constructor and prototype if strict mode false
• b33d8c2 style: fix lint
• df93f5b chore: release 4.13.16
• a3b98f6 fix(document): disallow setting __proto__ if strict mode false

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic